View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
August 27, 2012

Organisations likely to use SaaS for sensitive data than for mission-critical data: Gartner

Gartner survey questioned 425 respondents from IT risk management disciplines in the US, UK, Germany and Canada.

By CBR Staff Writer

Organisations are more likely to use software as a service (SaaS) for sensitive data than for mission-critical data, according to a survey from Gartner.

From December 2011 to January 2012, Gartner’s latest annual survey of the state of risk management programmes globally questioned 425 respondents from IT risk management disciplines in the US, UK, Germany and Canada.

The survey found that organisations take different approaches to risk management when confronted with a need or opportunity to share data with different types of external party.

Survey respondents were questioned if they had processes in place to assess external party security, risk management, compliance, privacy and BCP/DR for four different situations.

38% of the respondents answered to do not allow use for sensitive data or processes almost twice as often in the case of business partners as for platform as a service (PaaS) and infrastructure as a service (IaaS) (20%).

Compared with PaaS/IaaS, organisations are about 30% more likely to have a policy against putting sensitive data into SaaS (26%), and about 45% more likely to have a policy against putting it into outsourced data centers (29%).

The survey found that only 57% of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the questionnaire is more likely to be a proprietary one, unique to the buyer’s organization, and less likely to be based on standards.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

According to the survey, the change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.

About 36% of respondents said they had a policy against putting mission-critical data into an outsourced data center, making avoidance the most chosen mechanism for dealing with data center risk.

The level of response for this choice is higher than for either of the other two service models while 29% said this policy applied to SaaS, and only 22% said it applied to IaaS/PaaS.

The most significant reduction in the use of risk assessment practices has been in the practice of sending company staff to evaluate a partner’s controls on-site, which has dropped by over 40% over three years.

Gartner research vice president Jay Heiser said that the results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer.

"This year we asked about both data availability and data confidentiality policies," Heiser said.

"Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it."

The survey found that use of standards-based questionnaires has increased, while the use of proprietary surveys has dropped by the same degree, leaving the prevalence of questionnaires virtually the same.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.